Configuring lookup rules

  • Release version: Zurich
  • Updated July 31, 2025
  • 5 minutes to read

    • By configuring lookup rules, you can map security exposure data to the correct configuration items (CIs) in the CMDB. This mapping is a critical function because associating exposure findings with the right assets is essential for proper risk assessment, assignment, and remediation workflows.

    Create lookup rule

    Create lookup rules to automatically and accurately associate incoming exposure findings data with the correct configuration items (CIs) in the Configuration Management Database (CMDB) This is essential for enabling the rest of the vulnerability management process to function correctly.

    Before you begin

    Role required: sn_vul.vulnerability_admin

    About this task

    Creating lookup rules requires advanced ServiceNow and Unified Security Exposure Management (USEM) expertise. Rather than modifying one of the existing lookup rules, consider copying it and modifying the copy. When you are satisfied that the new rule does what you want, deactivate the original.
    Note:
    Rules, once removed, cannot be recovered. Rather than removing existing rules, deactivate them when creating new ones.

    Procedure

    1. Navigate to Workspaces > Security Exposure Management Workspace.
    2. Select Administration in the navigation pane.
    3. Select Review on the Look-up rules tile.
    4. On the Rules page, select Look-up in the navigation pane.
    5. Select New.
    6. On the form, fill in the fields.
      Table 1. Look-up rule form
      Field Description
      Details
      Name Name of the rule.
      Lookup method Method used for matching. Choices are:
      • Script: Pre-built (IP address, DNS name, and so on) or custom script.
      • Field matching: Search on table or field in the CMDB.
      Type Type used with the Script Lookup method.
      Order Order of precedence for the rule. Rules with the lowest order are evaluated first.
      Active Check box for whether the rule is active or disabled.
      Source Source used as input to this rule.
      Source field Source field used as input to this rule. Select any field, but it is treated as a string value.
      Description Description of the new look-up rule.
      Lookup target Lookup approach you want to follow. Select from:
      • Configuration item
      • Product model
      If condition is met
      Condition Condition based on which the lookup rule is applied. This condition depends on the attribute from the third-party scanner.
      Note:
      The asset attribute is a part of the payload. It is received from the third-party scanner. See the Discovered Items table for payload examples.
      Then set this value
      Lookup method Method used for matching. Choices are:
      • Script: Pre-built (IP address, DNS name, and so on) or custom script.
      • Field matching: Search on table or field in the CMDB.
      Search on CI table Table to search within the CMDB. Used with field matching Lookup Method.
      Search on product table If you choose the Product model Lookup target, the default value is Application Model.
      Search on CI field Field that contains information that can be used to locate a CI. Used with the field matching Lookup method. This field may be on the CI record, or on a related record, such as a network adapter.
      Search on product model field If you choose the Product model Lookup target, the default value is Name.
      Type Type used with the Script Lookup method.
      Script Editable sample script, based on the Type, is shown. Implement the custom script following the comments included in the template of the default function.
      Note:

      The process function has three parameters: rule, sourceValue, and sourcePayload
    7. Select Save.

      For more implementation information for lookup rules see, Steps to help prevent duplicate or orphaned records after running Vulnerability Response CI lookup rules.

      Figure 1. Example of a CI lookup rule using a condition builder for V12.0
      CI lookup rule using a condition builder for version 12.0.
      Figure 2. Example of a CI lookup rule using a script prior to V12.0
      CI lookup rule using a script

    Ignore CI classes

    To ignore some configuration item (CI) classes, for example Load Balancer [cmdb_ci_lb], when running CI Lookup Rules, set the ignoreCIClass [sn_sec_cmn.ignoreCIClass] system property.

    Before you begin

    Role required: admin
    Note:

    The ignoreCIClass system property is available starting with Vulnerability Response v9.0. However, the property functionality is not available upon upgrade from any previous version.

    If you have upgraded from any Security Operations application, prior to version 9.0, see KB0788209 for instructions on how to enable this functionality.

    Procedure

    1. Enter sys_properties.list in the left navigation bar.
    2. Click Enter.
    3. In the Search menu, under Name enter sn_sec_cmn.ignoreCIClass.
    4. In the Value text box, enter the CI classes to exclude in a comma-separated list.
      ignoreCI Class system property example.
    5. Click Update.
      This list is used by CI Lookup Rules during the next import. Vulnerable items created during import are not associated to a CI of any type listed in the Value field of the sn_sec_cmn.ignoreCIClass system property.

    Reapply lookup rules on selected discovered items

    Reapply the lookup rules on selected discovered items from the discovered item list view select actions. If the configuration item (CI) changes after you reapply the rules, the discovered items are updated with the new CI and impacted detections. Vulnerable items are also updated.

    Before you begin

    Roles required: admin

    About this task

    For more information, see CI changes for discovered items.

    For more information on the concepts of CI matching and the CMDB, discovered item lookup, rule-based identification, see the CI matching in Vulnerability Response [KB0998706] article in the HI Knowledge Base.

    Procedure

    1. Navigate to All > Security operations > CMDB > Discovered Items.
    2. Select the required discovered items and select Action on selected rows.
      Reapply CI lookup rules on Discovered Items.
    3. From the list, select Reapply CI lookup rules.
      Note:
      You can skip the reapplication of lookup rules on discovered items with the substate ‘CI Decommissioned’ by enabling the system property sn_sec_cmn.skipItemsWithCIDecommissioned.

      The rules are reapplied on these discovered items.

    4. Select View status in the message.

      The status displays on the background job form.

      Note:
      In the Notes field, the Discovered items could not be process due to exception attribute with a non-zero value indicates that there’s an error or exception while reapplying a look-up rule. Check the system logs for more details.
    5. Reapply only applies to items scanned within the last 90 days based on the last_scan_date, last_comp_scan_date, non_infra_last_scan_date, non_infra_last_comp_scan_date column.

      Added ci_lifecycle_status_source (scope = sn_sec_cmn) system property for configuring CI lifecycle status columns (for example, Install Status, Operational Status). You can configure additional columns for retiring CIs.

      Columns are added to the background job list view:
      • Elapsed Time(ms): The time required for processing the background job.
      • Items Processed: The number of items processed until now.
      • Total Items to be Processed: The total number of items remaining to be processed.
      • Time Until Completion(ms): The time remaining until the background job is processed. These columns provide visibility into job progress. These columns are available for each form view for you to add according to requirement.